From 88b6607df6599784f14a689bf0088f3003c3b98e Mon Sep 17 00:00:00 2001 From: DJ Date: Sat, 4 Apr 2026 05:48:07 -0700 Subject: [PATCH 1/7] docs: add CI/CD standards and workflow patterns Document standard CI configurations across all repos including required workflows, tech stack patterns, action pinning policy, permissions, secrets inventory, and a gap analysis of current repo coverage. Co-Authored-By: Claude Opus 4.6 (1M context) --- standards/ci-standards.md | 440 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 440 insertions(+) create mode 100644 standards/ci-standards.md diff --git a/standards/ci-standards.md b/standards/ci-standards.md new file mode 100644 index 0000000..0a49813 --- /dev/null +++ b/standards/ci-standards.md @@ -0,0 +1,440 @@ +# CI/CD Standards + +Standard CI/CD configurations for all repositories in the **petry-projects** organization. +This document defines the required workflows, quality gates, and patterns that every +repository must implement. + +--- + +## Required Workflows + +Every repository MUST have these workflows. Templates are provided in the +[`standards/workflows/`](workflows/) directory. + +### 1. CI Pipeline (`ci.yml`) + +The primary build-and-test workflow. Structure varies by tech stack but must include: + +| Stage | Purpose | Required | +|-------|---------|----------| +| **Lint** | Static analysis / style enforcement | Yes | +| **Format check** | Formatting verification | Yes | +| **Type check** | Type safety (where applicable) | Yes | +| **Unit tests** | Fast, deterministic tests | Yes | +| **Coverage** | Code coverage reporting | Yes | +| **Integration tests** | Backend/API integration | If applicable | +| **E2E tests** | End-to-end functional tests | If applicable | +| **Build / Docker build** | Verify the artifact builds | If applicable | + +**Standard triggers:** + +```yaml +on: + push: + branches: [main] + pull_request: + branches: [main] +``` + +**Standard configuration patterns:** + +```yaml +permissions: + contents: read + +concurrency: + group: ci-${{ github.ref }} + cancel-in-progress: true +``` + +### 2. CodeQL Analysis (`codeql.yml`) + +Static Application Security Testing (SAST) via GitHub's CodeQL. + +**Standard configuration:** + +```yaml +on: + push: + branches: [main] + pull_request: + branches: [main] + schedule: + - cron: '25 14 * * 3' # Weekly scan (Wednesday) +``` + +**Language matrix by repo:** + +| Repository | CodeQL Language(s) | +|------------|-------------------| +| **broodly** | `actions` | +| **google-app-scripts** | `javascript-typescript` | +| **TalkTerm** | `python` (pending: `javascript-typescript`) | +| **markets** | `javascript-typescript` | +| **ContentTwin** | `javascript-typescript` (pending) | + +### 3. SonarCloud Analysis (`sonarcloud.yml`) + +Code quality, maintainability, security hotspots, and coverage tracking. + +**Standard configuration:** + +```yaml +name: SonarCloud Analysis + +permissions: {} + +on: + push: + branches: [main] + pull_request: + +jobs: + sonarcloud: + name: SonarCloud + runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: read + env: + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 0 + - name: SonarCloud Scan + if: ${{ env.SONAR_TOKEN != '' }} + uses: SonarSource/sonarqube-scan-action@v7 +``` + +**Required secrets:** `SONAR_TOKEN` + +Each repo needs a `sonar-project.properties` file at root with project key and org. + +### 4. Claude Code (`claude.yml`) + +AI-assisted code review via Claude Code Action on PRs. Also responds to +`@claude` mentions in PR comments. + +**Standard configuration:** + +```yaml +name: Claude Code + +on: + pull_request: + branches: [main] + types: [opened, reopened, synchronize] + issue_comment: + types: [created] + pull_request_review_comment: + types: [created] + +permissions: {} + +jobs: + claude: + if: >- + (github.event_name == 'pull_request' && + github.event.pull_request.head.repo.full_name == github.repository) || + (github.event_name == 'issue_comment' && github.event.issue.pull_request && + contains(github.event.comment.body, '@claude') && + contains(fromJson('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association)) || + (github.event_name == 'pull_request_review_comment' && + contains(github.event.comment.body, '@claude') && + contains(fromJson('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association)) + runs-on: ubuntu-latest + timeout-minutes: 60 + permissions: + contents: read + id-token: write + pull-requests: write + issues: write + steps: + - name: Run Claude Code + if: github.event_name != 'pull_request' || github.event.pull_request.user.login != 'dependabot[bot]' + uses: anthropics/claude-code-action@v1 + with: + claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} +``` + +**Required secrets:** `CLAUDE_CODE_OAUTH_TOKEN` + +**Dependabot behavior:** The Claude Code step is skipped for Dependabot PRs (the +`if` condition on the step). The job still runs and reports SUCCESS to satisfy +required status checks. See [AGENTS.md](../AGENTS.md#claude-code-workflow-on-dependabot-prs). + +### 5. Dependabot Auto-Merge (`dependabot-automerge.yml`) + +Automatically approves and squash-merges eligible Dependabot PRs. +See [`workflows/dependabot-automerge.yml`](workflows/dependabot-automerge.yml) +and the [Dependabot Policy](dependabot-policy.md) for full details. + +### 6. Dependency Audit (`dependency-audit.yml`) + +Vulnerability scanning for all package ecosystems. +See [`workflows/dependency-audit.yml`](workflows/dependency-audit.yml) +and the [Dependabot Policy](dependabot-policy.md). + +--- + +## Workflow Patterns by Tech Stack + +### TypeScript / Node.js (npm) + +```yaml +steps: + - uses: actions/checkout@v4 + - uses: actions/setup-node@v4 + with: + node-version: '20' # or 'lts/*' + cache: npm + - run: npm ci + - run: npm run check # lint + format + - run: npm run typecheck # tsc --noEmit + - run: npm test # unit tests + coverage +``` + +**Repos using this pattern:** google-app-scripts, ContentTwin + +### TypeScript / Node.js (pnpm) + +```yaml +steps: + - uses: actions/checkout@v4 + - uses: pnpm/action-setup@v4 + - uses: actions/setup-node@v4 + with: + node-version: 20 + cache: pnpm + - run: pnpm install --frozen-lockfile + - run: pnpm run lint + - run: pnpm run typecheck + - run: pnpm run test +``` + +**Repos using this pattern:** broodly (TypeScript layer) + +### Go + +```yaml +steps: + - uses: actions/checkout@v4 + - uses: actions/setup-go@v5 + with: + go-version: '1.24' + cache-dependency-path: apps/api/go.sum + - run: go vet ./... + - uses: golangci/golangci-lint-action@v6 + - run: go test ./... -race -coverprofile=coverage.out +``` + +**Repos using this pattern:** broodly (Go API) + +### TypeScript + Electron (npm) + +```yaml +strategy: + matrix: + os: [ubuntu-latest, macos-latest, windows-latest] +steps: + - uses: actions/checkout@v4 + - uses: actions/setup-node@v4 + with: + node-version: 24 + cache: npm + - run: npm ci + - run: npm run typecheck + - run: npm run lint + - run: npm run format:check + - run: npm test + - run: npm run test:coverage +``` + +**Additional jobs for Electron:** +- Mutation testing (`npm run test:mutate`) — `continue-on-error: true` +- E2E tests via Playwright (`npx playwright test`) on macOS — `continue-on-error: true` + +**Repos using this pattern:** TalkTerm + +### Python + +```yaml +steps: + - uses: actions/checkout@v4 + - uses: actions/setup-python@v5 + with: + python-version: '3.x' + # Project-specific: pip install, pytest, etc. +``` + +**Repos using this pattern:** TalkTerm (CodeQL only currently) + +--- + +## Action Pinning Policy + +All GitHub Actions MUST be pinned to a specific commit SHA, not a tag or branch. + +```yaml +# CORRECT — pinned to SHA +- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + +# WRONG — mutable tag +- uses: actions/checkout@v4 +``` + +**Rationale:** SHA pinning prevents supply-chain attacks where a tag is +force-pushed to a malicious commit. The comment after the SHA documents the +version for human readability. + +Dependabot keeps pinned SHAs up to date via the `github-actions` ecosystem +entry in `dependabot.yml`. + +> **Note:** The templates in this document use tag references (e.g., `@v4`) +> for readability. When copying to a repository, always replace tags with +> the current SHA and add a version comment. + +--- + +## Permissions Policy + +All workflows MUST follow the principle of least privilege: + +```yaml +# Top-level: reset to no permissions +permissions: {} + +jobs: + my-job: + permissions: + contents: read # Only what this job needs +``` + +**Common permission sets:** + +| Workflow | Permissions | +|----------|------------| +| CI (build/test) | `contents: read` | +| SonarCloud | `contents: read`, `pull-requests: read` | +| Claude Code | `contents: read`, `id-token: write`, `pull-requests: write`, `issues: write` | +| CodeQL | `actions: read`, `security-events: write`, `contents: read` | +| Dependabot auto-merge | `contents: read`, `pull-requests: read` (+ app token for merge) | + +--- + +## Secrets Required by Repository + +| Secret | Purpose | Repos | +|--------|---------|-------| +| `CLAUDE_CODE_OAUTH_TOKEN` | Claude Code Action authentication | All repos with `claude.yml` | +| `SONAR_TOKEN` | SonarCloud analysis | broodly, markets, ContentTwin, google-app-scripts | +| `APP_ID` | GitHub App for Dependabot auto-merge | All repos with `dependabot-automerge.yml` | +| `APP_PRIVATE_KEY` | GitHub App private key | All repos with `dependabot-automerge.yml` | +| `GCP_PROJECT_ID` | GCP project for container registry | broodly | +| `GCP_WORKLOAD_IDENTITY_PROVIDER` | GCP Workload Identity Federation | broodly | +| `GCP_SERVICE_ACCOUNT` | GCP service account email | broodly | + +--- + +## CI Job Naming Convention + +CI job names become the GitHub status check names that branch protection +references. Use consistent, descriptive names: + +| Pattern | Example | Notes | +|---------|---------|-------| +| Language / tool name | `TypeScript`, `Go`, `SonarCloud` | For multi-language repos | +| `build-and-test` | `build-and-test` | For single-language repos | +| `Analyze` or `Analyze ()` | `Analyze`, `Analyze (Python)` | CodeQL jobs | +| `claude` | `claude` | Claude Code Action | + +These names are referenced in branch protection required status checks. +Changing a job name requires updating the branch protection configuration. + +--- + +## Org-Level Workflows + +The [`.github` repository](https://github.com/petry-projects/.github) contains +org-level workflows that run across all repositories: + +### OpenSSF Scorecard (`org-scorecard.yml`) + +- **Schedule:** Weekly (Monday 9:00 UTC) +- **Purpose:** Security posture scoring for all public repos +- **Behavior:** Creates/updates GitHub Issues with findings, auto-closes resolved findings +- **Skip list:** CII-Best-Practices, Contributors, Fuzzing, Maintained, Packaging, Signed-Releases + +--- + +## CI Auto-Fix Pattern + +Some repositories implement automatic formatting fixes on PRs: + +```yaml +autofix: + needs: build-and-test + if: > + github.event_name == 'pull_request' && + github.event.pull_request.head.repo.full_name == github.repository + runs-on: ubuntu-latest + permissions: + contents: write + steps: + - uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.ref }} + - run: npm run format && npm run lint -- --fix + - name: Commit fixes + run: | + if ! git diff --quiet; then + git config user.name "github-actions[bot]" + git config user.email "github-actions[bot]@users.noreply.github.com" + git add -A + git commit -m "chore(ci): apply prettier/eslint auto-fixes" + git push + fi +``` + +**Repos using this pattern:** google-app-scripts + +> **Note:** Auto-fix only runs on same-repo PRs (not forks) since it needs +> write access to the PR branch. + +--- + +## Applying CI to a New Repository + +1. **Determine tech stack** and select the matching workflow patterns above +2. **Create `ci.yml`** with lint, format, typecheck, and test stages +3. **Add `codeql.yml`** with the appropriate language(s) +4. **Add `sonarcloud.yml`** and configure `sonar-project.properties` +5. **Add `claude.yml`** for AI code review +6. **Add `dependabot.yml`** from the appropriate template in [`standards/dependabot/`](dependabot/) +7. **Add `dependabot-automerge.yml`** from [`standards/workflows/`](workflows/) +8. **Add `dependency-audit.yml`** from [`standards/workflows/`](workflows/) +9. **Configure secrets** in the repository settings +10. **Set required status checks** in branch protection (see [GitHub Settings](github-settings.md)) +11. **Pin all action references** to commit SHAs + +--- + +## Current Repository CI Status + +| Repository | CI | CodeQL | SonarCloud | Claude | Dep Auto-merge | Dep Audit | Dependabot Config | +|------------|:--:|:------:|:----------:|:------:|:--------------:|:---------:|:-----------------:| +| **broodly** | Yes | Yes | Yes | Yes | Yes | Yes | Yes | +| **markets** | — | Yes | Yes | Yes | Yes | Yes | Yes | +| **google-app-scripts** | Yes | Yes | Yes | Yes | Yes | — | — | +| **TalkTerm** | Yes | — | — | — | — | — | — | +| **ContentTwin** | — | — | Yes | — | — | — | — | +| **bmad-bgreat-suite** | — | — | — | — | — | — | — | + +### Gaps to Address + +- **TalkTerm:** Missing SonarCloud, Claude Code, Dependabot config, auto-merge, dependency audit +- **ContentTwin:** Missing CI pipeline, CodeQL, Claude Code, Dependabot config, auto-merge, dependency audit +- **bmad-bgreat-suite:** Missing all CI workflows (new repo) +- **google-app-scripts:** Missing dependency audit workflow and Dependabot config +- **markets:** Missing dedicated CI pipeline (relies on SonarCloud + Claude as checks) From 9007b9bd24c3f4d25c3b119863d88c52a385e3d4 Mon Sep 17 00:00:00 2001 From: DJ Date: Sat, 4 Apr 2026 05:53:25 -0700 Subject: [PATCH 2/7] fix: address Copilot review feedback on CI standards - Clarify that only Dependabot workflows have reusable templates; CI/CodeQL/SonarCloud/Claude are documented as copy-and-adapt patterns - Fix top-level permissions in CI example to use {} per permissions policy - Add branches filter to SonarCloud pull_request trigger for consistency Co-Authored-By: Claude Opus 4.6 (1M context) --- standards/ci-standards.md | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/standards/ci-standards.md b/standards/ci-standards.md index 0a49813..d7c99a2 100644 --- a/standards/ci-standards.md +++ b/standards/ci-standards.md @@ -8,8 +8,10 @@ repository must implement. ## Required Workflows -Every repository MUST have these workflows. Templates are provided in the -[`standards/workflows/`](workflows/) directory. +Every repository MUST have these workflows. Reusable templates for Dependabot +workflows are in [`standards/workflows/`](workflows/). The CI, CodeQL, +SonarCloud, and Claude Code workflows are documented as patterns below — copy +and adapt the examples to each repo's tech stack. ### 1. CI Pipeline (`ci.yml`) @@ -39,8 +41,7 @@ on: **Standard configuration patterns:** ```yaml -permissions: - contents: read +permissions: {} # Reset top-level; set per-job (see Permissions Policy below) concurrency: group: ci-${{ github.ref }} @@ -88,6 +89,7 @@ on: push: branches: [main] pull_request: + branches: [main] jobs: sonarcloud: From ad320a49bd1308b2344034897c0be62809d175d8 Mon Sep 17 00:00:00 2001 From: DJ Date: Sat, 4 Apr 2026 05:56:44 -0700 Subject: [PATCH 3/7] fix: address CodeRabbit SHA pinning and Go version feedback - Pin SHAs in SonarCloud, Claude Code, and auto-fix workflow examples - Clarify that tech stack patterns use tags for illustration only - Update Go version example to use 'stable' with note about pinning Co-Authored-By: Claude Opus 4.6 (1M context) --- standards/ci-standards.md | 19 +++++++++++-------- 1 file changed, 11 insertions(+), 8 deletions(-) diff --git a/standards/ci-standards.md b/standards/ci-standards.md index d7c99a2..0d8c41f 100644 --- a/standards/ci-standards.md +++ b/standards/ci-standards.md @@ -101,12 +101,12 @@ jobs: env: SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 - name: SonarCloud Scan if: ${{ env.SONAR_TOKEN != '' }} - uses: SonarSource/sonarqube-scan-action@v7 + uses: SonarSource/sonarqube-scan-action@a31c9398be7ace6bbfaf30c0bd5d415f843d45e9 # v7.0.0 ``` **Required secrets:** `SONAR_TOKEN` @@ -155,7 +155,7 @@ jobs: steps: - name: Run Claude Code if: github.event_name != 'pull_request' || github.event.pull_request.user.login != 'dependabot[bot]' - uses: anthropics/claude-code-action@v1 + uses: anthropics/claude-code-action@bee87b3258c251f9279e5371b0cc3660f37f3f77 # v1 with: claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} ``` @@ -224,7 +224,7 @@ steps: - uses: actions/checkout@v4 - uses: actions/setup-go@v5 with: - go-version: '1.24' + go-version: 'stable' # Or pin to specific version (e.g., '1.24') matching go.mod cache-dependency-path: apps/api/go.sum - run: go vet ./... - uses: golangci/golangci-lint-action@v6 @@ -293,9 +293,12 @@ version for human readability. Dependabot keeps pinned SHAs up to date via the `github-actions` ecosystem entry in `dependabot.yml`. -> **Note:** The templates in this document use tag references (e.g., `@v4`) -> for readability. When copying to a repository, always replace tags with -> the current SHA and add a version comment. +> **Note on examples in this document:** The "Workflow Patterns by Tech Stack" +> section uses tag references (e.g., `@v4`) for readability since those are +> illustrative patterns, not copy-paste templates. The "Required Workflows" +> section above uses SHA-pinned references where possible. When copying any +> example to a repository, always look up the current SHA for each action and +> pin to it with a version comment. --- @@ -384,7 +387,7 @@ autofix: permissions: contents: write steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: ref: ${{ github.event.pull_request.head.ref }} - run: npm run format && npm run lint -- --fix From 7f8792f54a1442315e4cbe7c30ae7f633ca7645a Mon Sep 17 00:00:00 2001 From: DJ Date: Sat, 4 Apr 2026 06:01:16 -0700 Subject: [PATCH 4/7] fix: clarify single-job workflow permissions policy Co-Authored-By: Claude Opus 4.6 (1M context) --- standards/ci-standards.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/standards/ci-standards.md b/standards/ci-standards.md index 0d8c41f..95c3274 100644 --- a/standards/ci-standards.md +++ b/standards/ci-standards.md @@ -307,7 +307,7 @@ entry in `dependabot.yml`. All workflows MUST follow the principle of least privilege: ```yaml -# Top-level: reset to no permissions +# Multi-job workflows: reset at top, set per-job permissions: {} jobs: @@ -316,6 +316,9 @@ jobs: contents: read # Only what this job needs ``` +For single-job workflows, top-level least-privilege permissions are acceptable +(e.g., `permissions: contents: read`) since there is only one job to scope. + **Common permission sets:** | Workflow | Permissions | From fae8fa151eb82551ebf0d46556113860ea2c5b65 Mon Sep 17 00:00:00 2001 From: DJ Date: Sat, 4 Apr 2026 06:04:55 -0700 Subject: [PATCH 5/7] fix: refine CI gap analysis and add version inconsistencies - Mark markets Dependabot config as partial (missing npm ecosystem) - Mark google-app-scripts auto-merge as older pattern - Flag non-standard npm limit:10 on google-app-scripts - Add CodeQL for TalkTerm to missing list - Add version inconsistency section (SonarCloud, CodeQL, Claude Code) Co-Authored-By: Claude Opus 4.6 (1M context) --- standards/ci-standards.md | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/standards/ci-standards.md b/standards/ci-standards.md index 95c3274..f23d532 100644 --- a/standards/ci-standards.md +++ b/standards/ci-standards.md @@ -433,16 +433,22 @@ autofix: | Repository | CI | CodeQL | SonarCloud | Claude | Dep Auto-merge | Dep Audit | Dependabot Config | |------------|:--:|:------:|:----------:|:------:|:--------------:|:---------:|:-----------------:| | **broodly** | Yes | Yes | Yes | Yes | Yes | Yes | Yes | -| **markets** | — | Yes | Yes | Yes | Yes | Yes | Yes | -| **google-app-scripts** | Yes | Yes | Yes | Yes | Yes | — | — | +| **markets** | — | Yes | Yes | Yes | Yes | Yes | Partial (missing npm ecosystem) | +| **google-app-scripts** | Yes | Yes | Yes | Yes | Yes (older pattern) | — | Non-standard (npm limit:10) | | **TalkTerm** | Yes | — | — | — | — | — | — | | **ContentTwin** | — | — | Yes | — | — | — | — | | **bmad-bgreat-suite** | — | — | — | — | — | — | — | ### Gaps to Address -- **TalkTerm:** Missing SonarCloud, Claude Code, Dependabot config, auto-merge, dependency audit +- **TalkTerm:** Missing SonarCloud, Claude Code, Dependabot config, auto-merge, dependency audit, CodeQL - **ContentTwin:** Missing CI pipeline, CodeQL, Claude Code, Dependabot config, auto-merge, dependency audit -- **bmad-bgreat-suite:** Missing all CI workflows (new repo) -- **google-app-scripts:** Missing dependency audit workflow and Dependabot config -- **markets:** Missing dedicated CI pipeline (relies on SonarCloud + Claude as checks) +- **bmad-bgreat-suite:** Missing all CI workflows (new repo — no branch protection or rulesets either) +- **google-app-scripts:** Missing dependency audit workflow; Dependabot config uses `limit:10` for npm (should be `0` per policy); auto-merge workflow uses older pattern (`--admin` bypass instead of `--auto`) +- **markets:** Missing dedicated CI pipeline; Dependabot config only covers `github-actions` — missing `npm` ecosystem entry + +### Version Inconsistencies + +- **SonarCloud action:** broodly/markets use v7.0.0; ContentTwin/google-app-scripts use v6 +- **CodeQL action:** broodly uses v4; markets uses v3 +- **Claude Code Action:** Different SHA pins across repos (should be aligned) From db5618ca3e1349a33d98850e20ec06e95ee354b7 Mon Sep 17 00:00:00 2001 From: DJ Date: Sun, 5 Apr 2026 09:30:18 -0700 Subject: [PATCH 6/7] refactor: align CI standards with universal check requirements All five quality checks (SonarCloud, CodeQL, Claude, CI, Coverage) are required on every repo. Updated status table with Coverage column, prioritized gap remediation list, and version alignment targets. Co-Authored-By: Claude Opus 4.6 (1M context) --- standards/ci-standards.md | 42 ++++++++++++++++++++++++--------------- 1 file changed, 26 insertions(+), 16 deletions(-) diff --git a/standards/ci-standards.md b/standards/ci-standards.md index f23d532..e86192b 100644 --- a/standards/ci-standards.md +++ b/standards/ci-standards.md @@ -430,25 +430,35 @@ autofix: ## Current Repository CI Status -| Repository | CI | CodeQL | SonarCloud | Claude | Dep Auto-merge | Dep Audit | Dependabot Config | -|------------|:--:|:------:|:----------:|:------:|:--------------:|:---------:|:-----------------:| -| **broodly** | Yes | Yes | Yes | Yes | Yes | Yes | Yes | -| **markets** | — | Yes | Yes | Yes | Yes | Yes | Partial (missing npm ecosystem) | -| **google-app-scripts** | Yes | Yes | Yes | Yes | Yes (older pattern) | — | Non-standard (npm limit:10) | -| **TalkTerm** | Yes | — | — | — | — | — | — | -| **ContentTwin** | — | — | Yes | — | — | — | — | -| **bmad-bgreat-suite** | — | — | — | — | — | — | — | +All five check categories are **required on every repository** (see +[GitHub Settings — code-quality ruleset](github-settings.md#code-quality--required-checks-ruleset-all-repositories)). +The specific ecosystems configured in each check depend on the repo's stack. + +| Repository | CI | CodeQL | SonarCloud | Claude | Coverage | Dep Auto-merge | Dep Audit | Dependabot Config | +|------------|:--:|:------:|:----------:|:------:|:--------:|:--------------:|:---------:|:-----------------:| +| **broodly** | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | +| **markets** | — | Yes | Yes | Yes | — | Yes | Yes | Partial | +| **google-app-scripts** | Yes | Yes | Yes | Yes | Yes | Yes (older) | — | Non-standard | +| **TalkTerm** | Yes | — | — | — | Yes | — | — | — | +| **ContentTwin** | — | — | Yes | — | — | — | — | — | +| **bmad-bgreat-suite** | — | — | — | — | — | — | — | — | ### Gaps to Address -- **TalkTerm:** Missing SonarCloud, Claude Code, Dependabot config, auto-merge, dependency audit, CodeQL -- **ContentTwin:** Missing CI pipeline, CodeQL, Claude Code, Dependabot config, auto-merge, dependency audit -- **bmad-bgreat-suite:** Missing all CI workflows (new repo — no branch protection or rulesets either) -- **google-app-scripts:** Missing dependency audit workflow; Dependabot config uses `limit:10` for npm (should be `0` per policy); auto-merge workflow uses older pattern (`--admin` bypass instead of `--auto`) -- **markets:** Missing dedicated CI pipeline; Dependabot config only covers `github-actions` — missing `npm` ecosystem entry +Every `—` in the table above is a gap that must be remediated. Priority order: + +1. **bmad-bgreat-suite:** Missing all CI workflows — needs full onboarding +2. **ContentTwin:** Missing CI, CodeQL, Claude, Coverage, Dependabot — 5 of 8 categories missing +3. **TalkTerm:** Missing CodeQL, SonarCloud, Claude, Dependabot — 4 of 8 categories missing +4. **markets:** Missing CI pipeline and Coverage; Dependabot config only covers `github-actions` (missing `npm` ecosystem) +5. **google-app-scripts:** Missing dependency audit; Dependabot npm `limit:10` (should be `0` per policy); auto-merge uses older `--admin` bypass pattern ### Version Inconsistencies -- **SonarCloud action:** broodly/markets use v7.0.0; ContentTwin/google-app-scripts use v6 -- **CodeQL action:** broodly uses v4; markets uses v3 -- **Claude Code Action:** Different SHA pins across repos (should be aligned) +All repos MUST align to the latest version of each action: + +| Action | Target Version | Repos Needing Update | +|--------|---------------|---------------------| +| **SonarCloud action** | v7.0.0 | ContentTwin, google-app-scripts (currently v6) | +| **CodeQL action** | v4 | markets (currently v3) | +| **Claude Code Action** | Latest SHA | All repos should use the same pinned SHA | From 75165c049158f4c172379b944f18394ca4dc2d20 Mon Sep 17 00:00:00 2001 From: DJ Date: Sun, 5 Apr 2026 09:43:30 -0700 Subject: [PATCH 7/7] fix: CodeQL Friday noon EST, rule-based config, org-level secrets MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Change CodeQL schedule to Friday 12:00 PM EST (cron: 0 17 * * 5) - Replace repo-specific language matrix with rule: all ecosystems present in repo must be configured as CodeQL languages - Move SONAR_TOKEN to org-level secrets - Replace "Secrets by Repository" with "Organization-Level Secrets for Standard CI" — all standard secrets are org-inherited Co-Authored-By: Claude Opus 4.6 (1M context) --- standards/ci-standards.md | 42 +++++++++++++++++++-------------------- 1 file changed, 21 insertions(+), 21 deletions(-) diff --git a/standards/ci-standards.md b/standards/ci-standards.md index e86192b..8b8c28c 100644 --- a/standards/ci-standards.md +++ b/standards/ci-standards.md @@ -61,18 +61,14 @@ on: pull_request: branches: [main] schedule: - - cron: '25 14 * * 3' # Weekly scan (Wednesday) + - cron: '0 17 * * 5' # Weekly scan (Friday 12:00 PM EST / 17:00 UTC) ``` -**Language matrix by repo:** - -| Repository | CodeQL Language(s) | -|------------|-------------------| -| **broodly** | `actions` | -| **google-app-scripts** | `javascript-typescript` | -| **TalkTerm** | `python` (pending: `javascript-typescript`) | -| **markets** | `javascript-typescript` | -| **ContentTwin** | `javascript-typescript` (pending) | +**Language configuration rule:** All ecosystems present in the repository MUST +be configured as CodeQL languages. If a repo contains `package.json`, add +`javascript-typescript`. If it contains `go.mod`, add `go`. If it contains +`.github/workflows/*.yml`, add `actions`. Multi-language repos configure +multiple languages via a matrix strategy. ### 3. SonarCloud Analysis (`sonarcloud.yml`) @@ -331,17 +327,21 @@ For single-job workflows, top-level least-privilege permissions are acceptable --- -## Secrets Required by Repository - -| Secret | Purpose | Repos | -|--------|---------|-------| -| `CLAUDE_CODE_OAUTH_TOKEN` | Claude Code Action authentication | All repos with `claude.yml` | -| `SONAR_TOKEN` | SonarCloud analysis | broodly, markets, ContentTwin, google-app-scripts | -| `APP_ID` | GitHub App for Dependabot auto-merge | All repos with `dependabot-automerge.yml` | -| `APP_PRIVATE_KEY` | GitHub App private key | All repos with `dependabot-automerge.yml` | -| `GCP_PROJECT_ID` | GCP project for container registry | broodly | -| `GCP_WORKLOAD_IDENTITY_PROVIDER` | GCP Workload Identity Federation | broodly | -| `GCP_SERVICE_ACCOUNT` | GCP service account email | broodly | +## Organization-Level Secrets for Standard CI + +All secrets required by the standard CI workflows are configured at the +**organization level** and inherited by all repos automatically: + +| Secret | Purpose | +|--------|---------| +| `CLAUDE_CODE_OAUTH_TOKEN` | Claude Code Action authentication | +| `SONAR_TOKEN` | SonarCloud analysis authentication | +| `APP_ID` | GitHub App ID for Dependabot auto-merge | +| `APP_PRIVATE_KEY` | GitHub App private key for Dependabot auto-merge | + +New repositories inherit these secrets with no additional configuration. +Repos with infrastructure beyond standard CI (e.g., GCP deployment) may +require additional repo-specific secrets. ---